Fidelis EDR
LAST UPDATED: 09/24/2024
Overview
Fidelis EDR Detection and Response (EDR) is a cybersecurity solution designed to protect organizations from advanced threats, detect suspicious activities, and respond to incidents on endpoints (such as computers, servers, and mobile devices). As part of the Fidelis Cybersecurity portfolio, it provides real-time visibility, threat detection, and response capabilities for identifying malicious behavior or vulnerabilities across endpoints.
D3 SOAR is providing REST operations to function with Fidelis EDR.
Fidelis EDR is available for use in:
D3 SOAR | V16.7+ |
Category | Endpoint Security |
Deployment Options |
Connection
Permission Requirements
Each endpoint in the Fidelis EDR API requires a certain permission scope. The following are required scopes for the commands in this integration:
Command | Required Scopes |
Delete File Search Tasks | Scripts, View Executables, Delete Executables |
Download Collected Files | Scripts, View Executables |
Execute Script Package | Read groups, View Behaviors, View Task Results |
Fetch Event | View Alerts |
Get Collected Files | View Executables |
Get File Search Task Status | View Executables |
Get Script Job Results | Read groups, View Behaviors, View Task Results |
Get Script Job Status | Scripts, View Executables, View Task Results |
Get Script Manifests | View Behaviors |
Get Script Templates | View Behaviors |
List Hosts | N/A |
List Scripts | Read groups, View Behaviors |
Search Behavior Events | Read groups, View Behaviors, View Task Results |
Search Files | Scripts, View Executables |
Test Connection | View Alerts |
Configuring D3 SOAR to Work with Fidelis EDR
Log in to D3 SOAR.
Find the Fidelis EDR integration.
Navigate to Configuration on the top header menu.
Click on the Integration icon on the left sidebar.
Type Fidelis EDR in the search box to find the integration, then click it to select it.
Click + Connection, on the right side of the Connections section. A new connection window will appear.
Configure the following fields to create a connection to Fidelis EDR.
Connection Name: The desired name for the connection.
Site: Specifies the site to use the integration connection. Use the drop-down menu to select the site. The Share to Internal Sites option enables all sites defined as internal sites to use the connection. Selecting a specific site will only enable that site to use the connection.
Recipient site for events from connections Shared to Internal Sites: This field appears if you selected Share to Internal Sites for Site to let you select the internal site to deploy the integration connection.
Agent Name (Optional): Specifies the proxy agent required to build the connection. Use the dropdown menu to select the proxy agent from a list of previously configured proxy agents.
Description (Optional): Add your desired description for the connection.
Tenant (Optional): When configuring the connection from a master tenant site, you have the option to choose the specific tenant sites you want to share the connection with. Once you enable this setting, you can filter and select the desired tenant sites from the dropdowns to share the connection.
Configure User Permissions: Defines which users have access to the connection.
Active: Check the checkbox to ensure the connection is available for use.
System: This section contains the parameters defined specifically for the integration. These parameters must be configured to create the integration connection.
1. Input the Server URL
2. Input the Username
3. Input the Password.Enable Password Vault: An optional feature that allows users to take the stored credentials from their own password vault. Please refer to the password vault connection guide if needed.
Connection Health Check: Updates the connection status you have created. A connection health check is done by scheduling the Test Connection command of this integration. This can only be done when the connection is active.
To set up a connection health check, check the Connection Health Check tick box. You can customize the interval (minutes) for scheduling the health check. An email notification can be set up after a specified number of failed connection attempts.
Test the connection.
Click Test Connection to verify the account credentials and network connection. If the Test Connection Passed alert window appears, the test connection is successful. You will see Passed with a green check mark appear beside the Test Connection button. If the test connection fails, please check your connection parameters and try again.
Click OK to close the alert window.
Click + Add to create and add the configured connection.
Commands
Fidelis EDR includes the following executable commands for users to set up schedules or create playbook workflows. With the Test Command, you can execute these commands independently for playbook troubleshooting.
Integration API Note
For more information about the Fidelis EDR API, please refer to the Fidelis EDR API Guide.
READER NOTE
Certain permissions are required for each command. Please refer to the Permission Requirements section for details.
Note for Time-related parameters
The input format of time-related parameters may vary based on your account settings. As a result, the sample data provided in our commands is different from what you see. To set your preferred time format, follow these steps:
Navigate to Configuration > Application Settings. Select Date/Time Format.
Choose your desired date and time format, then click on the Save button.
After that, you will be able to view your preferred time format when configuring the DateTime input parameters for commands.
Delete File Search Tasks
Deletes the specified Search File task(s) to free up server space by removing them from the database and cleaning up their file system entries.
READER NOTE
Job IDs is a required parameter to run this command.
Run the Search Files command to obtain the Job IDs. Job IDs can be found in the raw data at the path $.data.jobId.
Input
Input Parameter | Required/Optional | Description | Example |
Job IDs | Required | The IDs corresponding to the jobs for which to delete the file search task(s). Job IDs can be obtained using the Search Files command. |
CODE
|
Output
Error Handling
If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Delete Job failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Connection is required for Test Command |
Error Sample Data Delete Job failed. Status Code: 400. Message: Connection is required for Test Command |
Download Collected Files
Downloads the collected file from a previously initiated Search Files task.
READER NOTE
File ID and File Path are required parameters to run this command.
Run the Get Collected Files command to obtain the File ID. File IDs can be found in the raw data at the path $.data.jobResultInfos[*].collectedFiles[*].id.
Run the Get Collected Files command to obtain the File Path. File Paths can be found in the raw data at the path $.data.jobResultInfos[*].collectedFiles[*].filePath.
Input
Input Parameter | Required/Optional | Description | Example |
File ID | Required | The ID of the file to be downloaded. File ID can be obtained using the Get Collected Files command. | ***** |
File Path | Required | The file path of the file to be downloaded. File Path can be obtained using the Get Collected Files command. | [root]\\av tenant\\AgentSetup.txt |
Output
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | File Search Result Metadata failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Connection is required for Test Command |
Error Sample Data File Search Result Metadata failed. Status Code: 400. Message: Connection is required for Test Command |
Execute Script Package
Executes a script package. This command allows you to run scripts, including actions such as killing a process, deleting a file, listing processes, and isolating or unisolating an endpoint.
READER NOTE
Script ID is a required parameter to run this command.
Run the List Scripts command to obtain the Script ID. Script IDs can be found in the raw data at the path $.data.scripts[*].id.
Questions is an optional parameter to run this command.
Run the Get Script Templates command to obtain Questions.
Input
Input Parameter | Required/Optional | Description | Example |
Script ID | Required | The ID of the script package to execute. Script ID can be obtained using the List Scripts command. | ***** |
Endpoint IPs | Optional | The IP address(es) of the endpoint(s) where the script is to be executed. By default, all endpoints will be used. |
CODE
|
Script Time Out | Optional | The maximum duration, in seconds, allowed for the execution of the script before it times out. By default, the value is 300 seconds. | 600 |
Questions | Optional | The parameter(s) for a specific script, with each script requiring its own template. Question templates can be obtained using the Get Script Templates command. |
JSON
|
Output
Error Handling
If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | File Search Status failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Connection is required for Test Command |
Error Sample Data File Search Status failed. Status Code: 400. Message: Connection is required for Test Command |
Fetch Event
Ingests Fidelis EDR alerts into D3 vSOC based on search conditions. The alerts are sorted by create date in descending order.
Input
Input Parameter | Required/Optional | Description | Example |
Start Time | Optional | The beginning of the time range, in UTC, for retrieving Fidelis EDR alerts. By default, the start time is 3 days before the End Time. | 2024-08-06 18:00:00 |
End Time | Optional | The end of the time range, in UTC, for retrieving Fidelis EDR alerts. By default, the end time is the current time. | 2024-08-06 18:59:59 |
Search Conditions | Optional | Search field(s) and value(s) used to filter alert results using Facet Search syntax. To retrieve alerts for a specific endpoint, such as 'MisterTaylor-PC', see the example on the right. Refer to the Fidelis API Guide for details on Facet Search. Operator values must be specified using their corresponding integer values. For example, '=' is represented as 0, while 'Contains' is represented as 7. |
JSON
|
Number of Event(s) Fetched | Optional | The maximum number of alerts to return, ranging from 1 to 1000. By default, all alerts matching the filter criteria will be returned. | 10 |
Output
Fetch Event Field Mapping
Fetch Event commands require event field mapping. Field mapping plays a key role for data normalization within the event pipeline. Field mapping converts the original data fields from the different providers to standardized D3 fields as defined by the D3 Model. Refer to Event and Incident Intake Field Mapping for details.
To customize field mapping, click + Add Field and add the custom field of your choice. You can also remove built-in field mappings by clicking x. Note that two underscore characters will automatically prefix the defined Field Name as the System Name for a custom field mapping. Additionally, if an input Field Name contains any spaces, they will automatically be replaced with underscores for the corresponding System Name.
As a system integration, the Fidelis EDR integration has some pre-configured field mappings for default field mapping.
Default Event Source
The Default Event Source is the default set of field mappings that are applied when this fetch event command is executed. For out-of-the-box integrations, you will find a set of field mapping provided by the system. Default event source provides field mappings for common fields from fetched alerts. The default event source has a "Main Event JSON Path" (i.e. $.data.entities) that is used to extract a batch of events from the response raw data. Click Edit Main JSON Path to view the "Main Event JSON Path".
Main Event JSON Path: $.data.entities
The Main Event JSON Path determines the root path where the system starts parsing raw response data into D3 event data. The JSON path begins with $, representing the root element. The path is formed by appending a sequence of child elements to $, each separated by a dot (.). Square brackets with nested quotation marks ([‘...’]) should be used to separate child elements in JSON arrays.
For example, the root node of a JSON Path is $.data.entities. The child node denoting the Artifact Name field would be .artifactName. Putting it together, the JSON Path expression to extract the Artifact Name is $.data.entities.artifactName.
The pre-configured field mappings are detailed below:
Field Name | Source Field |
Artifact Name | artifactName |
Endpoint ID | .endpointId |
Event Index | .eventIndex |
Event Time | .eventTime |
Has Job | .hasJob |
Insertion Time | .insertionDate |
Intel ID | .intelId |
Intel Name | .intelName |
Parent Event Time | .parentEventId |
Report ID | .reportId |
Telemetry | .telemetry |
Validated Date | .validatedDate |
Document ID | .id |
Event name | .name |
Original event ID | .eventId |
Event Type | .eventType |
Hostname | .endpointName |
Start Time | createDate |
Description | .description |
Action taken | .actionsTaken |
Operating system | .osType |
Severity | .severity |
Source type | .sourceType |
Source | .source |
Tag | .agentTag |
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Get Script Job Status failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Connection is required for Test Command |
Error Sample Data Get Script Job Status failed. Status Code: 400. Message: Connection is required for Test Command |
Get Collected Files
Retrieves the files collected from a previously executed Search Files command, providing the File ID necessary for executing the Download Collected Files command. Prior to using this command, ensure that the Search Files has been successfully completed by checking its status with the Get File Search Task Status command.
READER NOTE
Job ID and Job Result ID are required parameters to run this command.
Run the Search Files command to obtain them. Job IDs can be found in the raw data at the path $.data.jobId, while Job Result IDs can be found at the path $.data.jobResultId.
Input
Input Parameter | Required/Optional | Description | Example |
Job ID | Required | The ID corresponding to the job for which to retrieve the collected files. Job ID can be obtained using the Search Files command. | ***** |
Job Result ID | Required | The ID corresponding to a job result for retrieving the collected files. Job Result ID can be obtained using the Search Files command. | ***** |
Output
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Alerts failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Connection is required for Test Command |
Error Sample Data List Alerts failed. Status Code: 400. Message: Connection is required for Test Command |
Get File Search Task Status
Retrieves the status of a previously initiated Search Files task.
READER NOTE
Job ID and Job Result ID are required parameters to run this command.
Run the Search Files command to obtain them. Job IDs can be found in the raw data at the path $.data.jobId, while Job Result IDs can be found at the path $.data.jobResultId.
Input
Input Parameter | Required/Optional | Description | Example |
Job ID | Required | The ID corresponding to the job for which to retrieve the Search Files task status. Job ID can be obtained using the Search Files command. | ***** |
Job Result ID | Required | The ID corresponding to a job result for retrieving the Search Files task status. Job Result ID can be obtained using the Search Files command. | ***** |
Poll Timeout | Optional | The duration, in seconds, that the command will continue polling. The command will continue to poll until the specified duration has elapsed or until the task status changes to Completed or Failed. By default, the value is 0, meaning that the command will return the task status immediately. The maximum value is 1800 seconds (30 minutes). If a value exceeding 1800 is provided, it will be capped at 1800 seconds. | 30 |
Output
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | List Scripts failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Connection is required for Test Command |
Error Sample Data List Scripts failed. Status Code: 400. Message: Connection is required for Test Command |
Get Script Job Results
Retrieves the execution results of the script package job.
READER NOTE
Job ID is a required parameter to run this command.
Run the Execute Script Package command to obtain the Job ID. Job IDs can be found in the raw data at the path $.data.jobId.
Input
Input Parameter | Required/Optional | Description | Example |
Job ID | Required | The ID of the script package execution job for which to retrieve the results. Job ID can be obtained using the Execute Script Package command. | ***** |
Search Conditions | Optional | The search field(s) and value(s) used to filter job results with Facet Search syntax. To retrieve job results for a specific endpoint, such as '*****,' see the example on the right. Refer to the Fidelis API Guide for details on Facet Search. Operator values must be specified using their corresponding integer values. For example, '=' is represented as 0, while 'Contains' is represented as 7. |
JSON
|
Output
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Script Manifest failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Connection is required for Test Command |
Error Sample Data Script Manifest failed. Status Code: 400. Message: Connection is required for Test Command |
Get Script Job Status
Retrieves the status of a script package execution job using the Job Result ID.
READER NOTE
Job Result ID is a required parameter to run this command.
Run the Execute Script Package command to obtain the Job Result ID. Job Result IDs can be found in the raw data at the path $.data.jobResultId.
Input
Input Parameter | Required/Optional | Description | Example |
Job Result ID | Required | The result ID of the script package execution job for which to retrieve the status. Job Result ID can be obtained using the Execute Script Package command. | ***** |
Output
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Search File failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Connection is required for Test Command |
Error Sample Data Search File failed. Status Code: 400. Message: Connection is required for Test Command |
Get Script Manifests
Retrieves the script package manifest(s) using the Script ID(s).
READER NOTE
Script IDs is a required parameter to run this command.
Run the List Scripts command to obtain the Script IDs. Script IDs can be found in the raw data at the path $.data.scripts[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Script IDs | Required | The ID(s) of the script package to get manifest(s). Script ID can be obtained using the List Scripts command. |
CODE
|
Output
Error Handling
If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Search File failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Connection is required for Test Command |
Error Sample Data Search File failed. Status Code: 400. Message: Connection is required for Test Command |
Get Script Templates
Retrieves the script package template(s) using the Script ID(s).
READER NOTE
Script IDs is a required parameter to run this command.
Run the List Scripts command to obtain the Script IDs. Script IDs can be found in the raw data at the path $.data.scripts[*].id.
Input
Input Parameter | Required/Optional | Description | Example |
Script IDs | Required | The ID(s) of the script package to get template(s). Script ID can be obtained using the List Scripts command. |
CODE
|
Output
Error Handling
If the Return Data displays Partially Successful or Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Search File failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Connection is required for Test Command |
Error Sample Data Search File failed. Status Code: 400. Message: Connection is required for Test Command |
List Hosts
Retrieves endpoint information based on host name or IP address. Endpoints with a host name in the Host Names list or an IP address in the IP Addresses list will be returned.
Input
Input Parameter | Required/Optional | Description | Example |
Host Names | Optional | The host name(s) of the endpoint(s) to be retrieved. |
CODE
|
IP Addresses | Optional | The IP address(es) of the endpoint(s) to be retrieved. |
CODE
|
Output
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Search File failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Connection is required for Test Command |
Error Sample Data Search File failed. Status Code: 400. Message: Connection is required for Test Command |
List Scripts
Retrieves a list of all script packages.
Input
N/A
Output
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Search File failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Connection is required for Test Command |
Error Sample Data Search File failed. Status Code: 400. Message: Connection is required for Test Command |
Search Behavior Events
Retrieves information about behaviors (events) for a specific entity type.
Input
Input Parameter | Required/Optional | Description | Example |
Start Time | Optional | The beginning of the time range, in UTC, for returning behavior events. By default, the start time is 3 days before the End Time. | 2024-08-06 18:00:00 |
End Time | Optional | The end of the time range, in UTC, for returning behavior events. By default, the end time is the current time. | 2024-08-06 18:59:59 |
Host Names | Optional | Filters behavior event results to the specified endpoint(s), allowing for full or partial host name(s). |
CODE
|
Entity Type | Required | The entity type to query behavior events. | Process |
OS Types | Optional | The operating system type(s) used to query behavior events. By default, the query will not filter by OS type. The available OS types are as follows:
| [ "Windows", "Linux" ] |
Logic Operator | Optional | The logic operator (AND / OR) used among filters. By default, the value is AND. | AND |
Filters | Required | Criteria that narrow down behavior event search results. D3 uses the 'CriteriaV3' object, enabling the use of composite filters to implement complex conditional logic, such as '(A AND B) OR (C AND D).' Each filter JSON object must include the fields: column, operator, and value. For information on composite filter syntax, refer to the Fidelis API guide or consult D3 Support. |
JSON
|
Limit | Optional | The maximum number of behavior events to return. The permissible range is an integer from 1 to 1000. By default, the limit is 1000. To return all results, enter -1. | 10 |
Relationship Parent Filters | Optional | A parent filter for search results. This parameter is not applicable to System and USB main entity types. When the main entity type is Process, the parent filter provides results based on the attributes of the parent processes that initiated the processes in the result set. For other entity types, the parent filter retrieves results based on the attributes of the process that executed the action represented by that entity type. In such cases, the parent process can be considered the acting process, though their concepts are similar. Users may use a parent filter to exclude results where the parent (or acting) process is a trusted process, as identified by its hash, signature, or well-known PID. The logic operator applied to relationship parent filters is AND. |
JSON
|
Relationship Children Criteria | Optional | This parameter is valid only when the main entity type is Process. Child filters filter the process results based on the behaviors performed by these processes. A child filter specifies a particular behavior by its entity type and other criteria specific to that entity type. When using a child filter, USB and System cannot be specified, as these entity types are not associated with processes. Child filters can be used to identify suspicious behaviors, such as establishing a network connection to a known malicious IP address or accessing sensitive registry keys. The logic operator applied to child criteria is AND. Refer to the sample data for the syntax of child criteria. |
JSON
|
Output
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Search File failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Connection is required for Test Command |
Error Sample Data Search File failed. Status Code: 400. Message: Connection is required for Test Command |
Search Files
Collects files that match specified search criteria across a set of endpoints.
Input
Input Parameter | Required/Optional | Description | Example |
Hosts | Optional | The host(s) on which files will be searched. |
JSON
|
MD5s | Optional | The MD5 hash value(s) of the file(s) to be searched. |
JSON
|
File Extensions | Optional | The extension(s) of the file(s) to be searched. |
JSON
|
File Paths | Optional | The file path(s) to be searched. |
JSON
|
File Size | Optional | The minimum file size of the file(s) to be searched. By default, the value is 1024. | 100 |
Output
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Search File failed. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Connection is required for Test Command |
Error Sample Data Search File failed. Status Code: 400. Message: Connection is required for Test Command |
Test Connection
Allows you to perform a health check on an integration connection. You can schedule a periodic health check by selecting Connection Health Check when editing an integration connection.
Input
N/A
Output
Error Handling
If the Return Data displays Failed, an Error tab will appear in the Test Result window.
The error tab contains the details responded from D3 SOAR or third-party API calls, including Failure Indicator, Status Code, and Message. This can help you locate the root cause of a command failure.
Parts in Error | Description | Example |
Failure Indicator | Indicates the command failure that happened at a specific input and/or API call. | Test Connection failed. Failed to check the connector. |
Status Code | The response code issued by the third-party API server or the D3 SOAR system that can be used to locate the corresponding error category. For example, if the returned status code is 401, the selected connection is unauthorized to run the command. The user or system support would need to check the permission setting in the Fidelis EDR portal. Refer to the HTTP Status Code Registry for details. | Status Code: 400. |
Message | The raw data or captured key error message from the integration API server about the API request failure. | Message: Connection is required for Test Command |
Error Sample Data Test Connection failed. Failed to check the connector. Status Code: 400. Message: You must have a valid Support account to call this API |